feat: Allow configuring the OAuth compatibility mode

2026-05-25 16:54:06 +00:00 · 2026-05-01 10:57:44 -04:00
parent e77f65bc1d
commit ffca47b257
12 changed files with 122 additions and 25 deletions
@@ -1,9 +1,12 @@
 use axum::{
 	Json, Router,
-	extract::State,
+	extract::{Request, State},
+	middleware::{self, Next},
+	response::{IntoResponse, Response},
 	routing::method_routing::{get, post},
 };
 use const_str::concat;
+use http::StatusCode;
 use serde_json::json;
 pub(crate) use server_metadata::*;

@@ -19,14 +22,28 @@
 const TOKEN_PATH: &str = "grant/token";
 const ACCOUNT_MANAGEMENT_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/account/deeplink");

-pub(crate) fn router() -> Router<crate::State> {
-	Router::new().nest(BASE_PATH, oauth_router())
-	// TODO(unspecced): used by old versions of the matrix-js-sdk
-	.route("/.well-known/openid-configuration", get(
-		async |State(services): State<crate::State>| {
-			Json(authorization_server_metadata(&services).await)
-		}
-	))
+pub(crate) fn router(state: crate::State) -> Router<crate::State> {
+	Router::new()
+		.nest(BASE_PATH, oauth_router())
+		.route(
+			"/.well-known/openid-configuration",
+			get(
+				// TODO(unspecced): used by old versions of the matrix-js-sdk
+				async |State(services): State<crate::State>| {
+					Json(authorization_server_metadata(&services).await)
+				},
+			),
+		)
+		.layer(middleware::from_fn_with_state(
+			state,
+			async |State(state): State<crate::State>, request: Request, next: Next| -> Response {
+				if state.config.oauth.compatibility_mode.oauth_available() {
+					next.run(request).await
+				} else {
+					(StatusCode::NOT_FOUND, "OAuth is unavailable on this server").into_response()
+				}
+			},
+		))
 }

 fn oauth_router() -> Router<crate::State> {
@@ -1,5 +1,5 @@
 use axum::extract::State;
-use conduwuit::Result;
+use conduwuit::{Err, Result};
 use ruma::{
 	api::client::discovery::get_authorization_server_metadata::{
 		self, v1::AccountManagementAction,
@@ -21,6 +21,10 @@ pub(crate) async fn get_authorization_server_metadata_route(
 	State(services): State<crate::State>,
 	_body: Ruma<get_authorization_server_metadata::v1::Request>,
 ) -> Result<get_authorization_server_metadata::v1::Response> {
+	if !services.config.oauth.compatibility_mode.oauth_available() {
+		return Err!(Request(Unrecognized("OAuth is unavailable on this server")));
+	}
+
 	let metadata = Raw::new(&authorization_server_metadata(&services).await).unwrap();

 	Ok(get_authorization_server_metadata::v1::Response::new(metadata.cast_unchecked()))
@@ -43,6 +43,12 @@ pub(crate) async fn get_login_types_route(
 	ClientIp(client): ClientIp,
 	_body: Ruma<get_login_types::v3::Request>,
 ) -> Result<get_login_types::v3::Response> {
+	if !services.config.oauth.compatibility_mode.uiaa_available() {
+		return Err!(Request(Unrecognized(
+			"User-interactive authentication is not available on this server."
+		)));
+	}
+
 	Ok(get_login_types::v3::Response::new(vec![
 		get_login_types::v3::LoginType::Password(PasswordLoginType::default()),
 		get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()),
@@ -118,10 +124,15 @@ pub(crate) async fn login_route(
 	ClientIp(client): ClientIp,
 	body: Ruma<login::v3::Request>,
 ) -> Result<login::v3::Response> {
+	if !services.config.oauth.compatibility_mode.uiaa_available() {
+		return Err!(Request(Unrecognized(
+			"User-interactive authentication is not available on this server."
+		)));
+	}
+
 	let emergency_mode_enabled = services.config.emergency_password.is_some();

 	// Validate login method
-	// TODO: Other login methods
 	let user_id = match &body.login_info {
 		#[allow(deprecated)]
 		| login::v3::LoginInfo::Password(login::v3::Password {
@@ -10,7 +10,7 @@
 	response::{IntoResponse, Redirect},
 	routing::{any, get, post},
 };
-use conduwuit::{Server, err};
+use conduwuit::err;
 pub(super) use conduwuit_service::state::State;
 use http::{Uri, uri};

@@ -18,8 +18,8 @@
 pub(super) use self::{args::Args as Ruma, response::RumaResponse};
 use crate::{admin, client, server};

-pub fn build(router: Router<State>, server: &Server) -> Router<State> {
-	let config = &server.config;
+pub fn build(router: Router<State>, state: State) -> Router<State> {
+	let config = &state.server.config;
 	let mut router = router
        .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
@@ -186,7 +186,7 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::get_rtc_transports)
 		.ruma_route(&client::room_initial_sync_route)
 		.ruma_route(&client::get_authorization_server_metadata_route)
-		.merge(client::oauth::router())
+		.merge(client::oauth::router(state))
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
 		.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
 		.ruma_route(&admin::rooms::ban::ban_room)